IT Governance

An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the: A. EDI trading partner agreements. B. physical controls for terminals. C. authentication techniques for sending and receiving messages. D. program change control procedures.

C. Authentifcation techniques for sending and receiving messages. Answer: C Explanation: Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues.

Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation? A. Process maturity B. Performance indicators C. Business risk D. Assurance reports

C. Business risk Answer: C Explanation: Priority should be given to those areas which represent a known risk to the enterprise's operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority.

Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks? A. Check digit B. Existence check C. Completeness check D. Reasonableness check

C. Completeness check. Answer: C Explanation: A completeness check is used to determine if a field contains data and not zeros or blanks. A check digit is a digit calculated mathematically to ensure original data were not altered. An existence check also checks entered data for agreement to predetermined criteriA. A reasonableness check matches input to predetermined reasonable limits or occurrence rates.

An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects.

A . Continous improvement Answer: A Explanation: An organization would have reached the highest level of the software CMM at level 5, optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process is executed at level 3 and below, and a process tailored to specific projects can be achieved at level 3 or below.

Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend? A. Develop a baseline and monitor system usage. B. Define alternate processing procedures. C. Prepare the maintenance manual. D. implement the changes users have suggested.

A. Develop a baseline and monitor system usage. Answer: A Explanation: An IS auditor should recommend the development of a performance baseline and monitor the system's performance, against the baseline, to develop empirical data upon which decisions for modifying the system can be made. Alternate processing proceduresand a maintenance manual will not alter a system's performance. Implementing changes without knowledge of thecause(s)forthe perceived poor performance may not result in a more efficient system.

To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is: A. during data preparation. B. in transit to the computer. C. between related computer runs. D. during the return of the data to the user department.

A. During Data preparation. Answer: A Explanation: During data preparation is the best answer, because it establishes control at the earliest point.

The phases and deliverables of a system development life cycle (SDLC) project should be determined: A. during the initial planning stages of the project. B. after early planning has been completed, but before work has begun. C. throughout the work stages, based on risks and exposures. D. only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls.

A. Durng the initial planning stages of the project Answer: A Explanation: It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project.

During an application audit, an IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend? A. implement data backup and recovery procedures. B. Define standards and closely monitor for compliance. C. Ensure that only authorized personnel can update the database. D. Establish controls to handle concurrent access problems.

A. Implement data backup and recovery proceudres. Answer: A Explanation: Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can be used to roll back database errors. Defining or establishing standards is a preventive control, while monitoring for compliance is adetective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is also a preventive control.

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

A. Integrity. Answer: A Explanation: A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can beensured by using digital signatures.

Which of the following is an advantage of the top-down approach to software testing? A. Interface errors are identified early B. Testing can be started before all programs are complete C. it is more effective than other testing approaches D. Errors in critical modules are detected sooner

A. Interface errors are idnetified early. Answer: A Explanation: The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D areadvantages of the bottom-up approach to system testing.

A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: A. payroll reports should be compared to input forms. B. gross payroll should be recalculated manually. C. checks (cheques) should be compared to input forms. D. checks (cheques) should be reconciled with output reports.

A. Payroll reports should be compared to input forms. Answer: A Answer: A Explanation: The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms isthe best mechanism of verifying data accuracy. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible as checks (cheques)have the processed information and input forms have the input datA. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.

Which of the following is the most important element in the design of a data warehouse? A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system

A. quality of the metadata. Anwer: A Explanation: Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of contents to the information stored in the data warehouse. Companies that have built warehouses believe that metadata are the most important component of the warehouse.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? A. Function point analysis B. Earned value analysis C. Cost budget D. Program Evaluation and Review Technique

Answer: B Explanation: Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed, to determine if the cost,

Which of the following would BEST provide assurance of the integrity of new staff? A. Background screening B. References C. Bonding D. Qualifications listed on a resume

Answer: A Explanation: A background screening is the primary method for assuring the integrity of a prospective staff member. References are important and would need to be verified, but they are not as reliable as background screening. Bonding is directed at due-diligencecompliance, not at integrity, and qualifications listed on a resume may not be accurate.

Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. it ensures that functions or extras are not added to the intended system.

Answer: B Explanation: Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the system that were not originally intended.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems B. Data mining techniques C. Firewalls D. Packet filtering routers

B. Data mining techniques. Answer: B Explanation: Data mining is a technique used to detect trends or patterns of transactions or datA. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data

B. Data representing conditions that are expected in actual processing. Answer: B Answer: B Explanation: Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. It is more important to have adequate test data than to complete the testing on schedule. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

B. Decision trees Answer: B Answer: B Explanation: Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

What is the lowest level of the IT governance maturity model where an IT balanced scorecard exists? A. Repeatable but Intuitive B. Defined C. Managed and Measurable D. Optimized

B. Defined. Answer: B Explanation: Defined (level 3) is the lowest level at which an IT balanced scorecard is defined.

When developing a security architecture, which of the following steps should be executed FIRST? A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology D. Defining roles and responsibilities

B. Defining a security policy. Answer: B Explanation: Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies willoften set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.

Following best practices, formal plans for implementation of new information systems are developed during the: A. development phase. B. design phase. C. testing phase. D. deployment phase.

B. Design Phase Answer: B Explanation: Planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses.

Which of the following will BEST ensure the successful offshore development of business applications? A. Stringent contract management practices B. Detailed and correctly applied specifications C. Awareness of cultural and political differences D. Postimplementation reviews

B. Detailed and correctly applied specifications. Answer: B Explanation: When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptionsand modifications may not be adequately communicated. Contract management practices, cultural and political differences, and postimplementation reviews, although important, are not as pivotal to the success of the project.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis B. PERT chart C. Rapid application development D. Object-oriented system development

B. PERT chart Explanation: A PERT chart will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, while object-oriented system development is the process of solution specification and modeling.

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans.

B. Post-BPR process flowcharts. Answer: B Explanation: An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D areincorrect because they are steps within a BPR project.

Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools.

B. Rapid pace of modifications in requirements and design. Answer: B Explanation: Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control.

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. D. the full functionality of the new process may not necessarily be tested.

B. Unauthorized access to sensitive data may result. Answer: B Explanation: Unless the data are sanitized, there is a risk of disclosing sensitive data.

Which of the following would help to ensure the portability of an application connected to a database? A. Verification of database import and export procedures B. Usage of a structured query language (SQL) C. Analysis of stored procedures/triggers D. Synchronization of the entity-relation model with the database physical schema

B. Usage of a structured query language (SQL) Answer: B Explanation: The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance, and reviewing the design entityrelation model will be helpful, but none of these contribute to the portability of an application connecting to a database.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.

B. Verify the format of the number entered then locate it on the databse. Answer: B Explanation: The initial validation should confirm whether the card is valid. This validity is established through the card number and PIN entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered is valid (i.e., it can be processed by the system). If the data captured in the initial validation is not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, then other validations specific to the card and cardholder would be performed.

Documentation of a business case used in an IT development project should be retained until: A. the end of the system's life cycle. B. the project is approved. C. user acceptance of the system. D. the system is in production.

.A. The end of the systems life cycle. Answer: A Explanation: A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals. Questions like, 'why dowe do that,"what was the original intent' and 'how did we perform against the plan' can be answered, and lessons for developing future business cases can be learned. During the development phase of a project one shouldalways validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference

When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST establish that: A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality.

A. A clear business case has been approved by management. Answer: A Explanation: The first concern of an IS auditor should be to establish that the proposal meets the needs of the business, and this should be established by a clear business case. Although compliance with security standards is essential, as is meeting the needs ofthe users and having users involved in the implementation process, it is too early in the procurement process for these to be an IS auditor's first concern.

When an organization is outsourcing their information security function, which of the following should be kept in the organization? A. Accountability for the corporate security policy B. Defining the corporate security policy C. Implementing the corporate security policy D. Defining security procedures and guidelines

A. Accountability for the corporate security policy. Answer: A Explanation: Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization.

Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? A. Accuracy of the source data B. Credibility of the data source C. Accuracy of the extraction process D. Accuracy of the data transformation

A. Accuracy of the source data. Answer: A Explanation: Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would not change inaccurate data intoquality (accurate) data.

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department? A. Allocating resources B. Keeping current with technology advances C. Conducting control self-assessment D. Evaluating hardware needs

A. Allocating resources. Answer: A Explanation: The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology's sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department.

Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

A. Application programmers are implementing changes to production environments. Answer: A Explanation: Production programs are used for processing an enterprise's datA. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data.Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of datA. The implementation of changes to batch schedules by operations support staff willaffect the scheduling of the batches only; it does not impact the live datA. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls B. increased development and maintenance costs C. increased application development time D. Decision-making may be impaired due to diminished responsiveness to requests for information

A. Applications may not be subject to testing and IT general controls. Answer: A Answer: A Explanation: End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls,quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. End-user computing (EUC) systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to management's information requests.

Functional acknowledgements are used: A. as an audit trail for EDI transactions. B. to functionally describe the IS department. C. to document user roles and responsibilities. D. as a functional description of application software.

A. As an audit trail for EDI transactions. Answer:A Explanation: Functional acknowledgements are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements.

An IS auditor performing an application maintenance audit would review the log of program changes for the: A. authorization of program changes. B. creation date of a current object module. C. number of program changes actually made. D. creation date of a current source program.

A. Authorization of program changes. Answer: A Answer: A Explanation: The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library management products, and not a changelog would most likely contain date information for the source and executable modules.

Which of the following is a dynamic analysis tool for the purpose of testing software modules? A. Black box test B. Desk checking C. Structured walkthrough D. Design and code

A. Black box test. Answer: A Explanation: A black box test is a dynamic analysis tool for testing software modules. During the testing of software modules a black box test works first in a cohesive manner as a single unit/entity consisting of numerous modules, and second with the user data that flows across software modules, in some cases, this even drives the software behavior. In choices B, C and D, the software (design or code) remains static and someone closely examines it by applying their mind, without actually activating the software. Therefore, these cannot be referred to as dynamic analysis tools.

During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: A. buffer overflow. B. brute force attack. C. distributed denial-of-service attack. D. war dialing attack.

A. Buffer overflow. Answer: A Explanation: Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A brute force attack is used to crack passwords. A distributed denial-of-service attack floods its target with numerous packets, to prevent it from responding to legitimate requests. War dialing uses modem-scanning tools to hack PBXs.

The GREATEST benefit in implementing an expert system is the: A. capturing of the knowledge and experience of individuals in an organization. B. sharing of knowledge in a central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments.

A. Capturing of the knowledge and experience of individuals in an organization Answer: A Explanation: The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. Employee turnover is not necessarily affected by an expert system.

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the: A. complexity and risks associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. project deliverables have been identified. D. a contract for external parties involved in the project has been completed.

A. Complexity and risks asssociated with the prokect have been analyzed. Answer: A Explanation: Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted as defect fixes are implemented by developers. Which of the following would be the BEST recommendation for an IS auditor to make? A. Consider feasibility of a separate user acceptance environment B. Schedule user testing to occur at a given time each day C. implement a source code version control tool D. Only retest high priority defects

A. Consider feasability of a separate user acceptance environment. Answer: A Explanation: A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code, it is important that the development and testing code base be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migratedto production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate testing environment. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems.

A. Correlation of semantic characteristics of the data migrated between the two systems. Answer: A Explanation: Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: A. effectiveness of the QA function because it should interact between project management and user management B. efficiency of the QA function because it should interact with the project implementation team. C. effectiveness of the project manager because the project manager should interact with the QA function. D. efficiency of the project manager because the QA function will need to communicate with the project implementation team.

A. Effectiveness of the QA ]function because it should interact between project management and user management. Answer: A Explanation: To be effective the quality assurance (QA) function should be independent of project management. The QA function should never interact with the project implementation team since this can impact effectiveness. The project manager does not interact with the QA function, which should not impact the effectiveness of the project manager. The QA function does not interact with the project implementation team, which should not impact the efficiency of the project manager.

Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. B. ability of the software to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. D. relationship between the performance of the software and the amount of resources used.

A. Existence of a set of functions and their specified properties. Answer: A Explanation: Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Choice B refers to portability, choice C refers to reliability andchoice D refers to efficiency.

The use of object-oriented design and development techniques would MOST likely: A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle.

A. Facilitate the abilt to reuse modules. Answer A Explanation: One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.

The waterfall life cycle model of software development is most appropriately used when: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requirements are well understood and the project is subject to time pressures. C. the project intends to apply an object-oriented design and programming approach. D. the project will involve the use of new technology.

A. Requirements are well understood and are expected to remain stable as in the business environment in which the system will operate. Answer: A Answer: A Explanation: Historically, the waterfall model has been best suited to the stable conditions described in choice A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the waterfall model has not been successful, in these circumstances, the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. Theability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. The choice of a design and programming approach is not itself a determining factor of the type of software development life cycle that is appropriate. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the agile methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.

Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? A. Response B. Correction C. Detection D. Monitoring

A. Response Answer: A Explanation: A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing

A. Review access contorl configurations Answer: A Explanation: Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, onewould not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.

Before implementing controls, management should FIRST ensure that the controls: A. satisfy a requirement in addressing a risk issue. B. do not reduce productivity. C. are based on a cost-benefit analysis. D. are detective or corrective.

A. Satisfy a requirement in addressing a risk issue. Answer: A Explanation: When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls. Realistically, it may not be possible to design them all and cost may be prohibitive; therefore, it is necessary to first consider the preventive controls that attack the cause of a threat.

Which of the following risks could result from inadequate software baselining? A. Scope creep B. Sign-off delays C. Software integrity violations D. inadequate controls

A. Scope Creep Answer: A Explanation: A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a businesscost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. ChoicesB, C and D may not always result, but choice A is inevitable.

Involvement of senior management is MOST important in the development of: A. strategic plans. B. IS policies. C. IS procedures. D. standards and guidelines.

A. Strategic plans. Answer: A Explanation: Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. IS policies, procedures, standards and guidelines are all structured to support the overall strategic plan.

An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impactingthe project, a risk manager will be hired. The appropriate response of the IS auditor would be to: A. stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans. B. accept the project manager's position as the project manager is accountable for the outcome of the project. C. offer to work with the risk manager when one is appointed. D. inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project.

A. Stress the importnance of spending time at this point in the project to consider and document risks, and to develop contingency plan. Answer: A Answer: A Explanation: The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project manage me ntpractices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.

Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? A. System owners B. System users C. System designers D. System builders

A. System owners. Answer: A Answer: A Explanation: System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. System users are the individuals who use or are affected by the information system. Their requirements are crucial in the testing stage of a project. System designers translate business requirements and constraints into technical solutions. System builders construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same.

Which of the following represents the GREATEST potential risk in an EDI environment? A. Transaction authorization B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls

A. Transaction authorization. Answer: A Explanation: Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.

When implementing an application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. incorrectly set parameters D. Programming errors.

A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. incorrectly set parameters D. Programming errors. Answer: C Explanation: Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself.

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

A. Verifying production to customer orders. Answer: A Explanation: Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processingcentrally. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after 6 months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: A. what amount of progress against schedule has been achieved. B. if the project budget can be reduced. C. if the project could be brought in ahead of schedule. D. if the budget savings can be applied to increase the project scope.

A. What amount of progress against schedule has been achieved. Answer: A Answer: A Explanation: Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. To properly assess the project budget position it is necessary to know how much progress has actually been made and, given this, what level of expenditure would be expected. It is possible that project expenditure appears to be low because actual progress has been slow. Until the analysis of project against schedule has been completed, it is impossible to know whether there is any reason to reduce budget, if the project has slipped behind schedule, then not only may there be no spare budget but it is possible that extra expenditure may be needed to retrieve the slippage. The low expenditure could actually be representative of a situation where the project is likely to miss deadlines rather than potentially come in ahead of time. If the project is found to be ahead of budget after adjusting for actual progress, this is notnecessarily a good outcome because it points to flaws in the original budgeting process; and, as said above, until further analysis is undertaken, it cannot be determined whether any spare funds actually exist. Further, if the project is behind schedule, then adding scope may be the wrong thing to do.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? A. Whether key controls are in place to protect assets and information resources B. If the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether owners have been identified who will be responsible for the process

A. Whether key controls are in place to protect assets and information resources. Answer: A Explanation: The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the business process reengineering (BPR) process should achieve, butthey are not the auditor's primary concern.

The reason a certification and accreditation process is performed on critical systems is to ensure that: A. security compliance has been technically evaluated. B. data have been encrypted and are ready to be stored. C. the systems have been tested to run on different platforms. D. the systems have followed the phases of a waterfall model.

A. security compliance has been technically evaluated. Answer: A Explanation: Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are encrypted. Choice C is incorrect because certified systems are evaluated to run in a specific environment. A waterfall model is a software development methodology and not a reason for performing a certification and accrediting process.

A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized? A. The system will not process the change until the clerk's manager confirms the change by entering an approval code. B. The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager. C. The system requires the clerk to enter an approval code. D. The system displays a warning message to the clerk

A. the system will not process the change until the clerk's manager confirms the change. Answer: A Explanaiton: Choice A would prevent or detect the use of an unauthorized interest rate. Choice B informs the manager after the fact that a change was made, thereby making it possible for transactions to use an unauthorized rate prior to management review. ChoicesC and D do not prevent the clerk from entering an unauthorized rate change.

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. in reviewing the proposed development approach, which of the following would be of GREATESTconcern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements.

B. A quality plan is not part of the contracted deliverables. Answer: B Answer: B Explanation: A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and

Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software? A. System testing B. Acceptance testing C. Integration testing D. Unit testing

B. Acceptance testing. Answer: B Explanation: Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays and cost overruns. System testing is undertaken by the developer team to determine if the software meets user requirements per specifications. Integration testing examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.

Which of the following is the GREATEST risk when implementing a data warehouse? A. increased response time on the production systems B. Access controls that are not adequate to prevent data modification C. Data duplication D. Data that is not updated or current

B. Access Controls that are not adequate to prevent data modification. Answer: B Explanation: Once the data is in a warehouse, no modifications should be made to it and access controls should be in place to prevent data modification. Increased response time on the production systems is not a risk, because a data warehouse does not impact production datA. Based on data replication, data duplication is inherent in a data warehouse. Transformation of data from operational systems to a data warehouse is done at predefined intervals, and as such, data may not be current.

What process uses test data as part of a comprehensive test of program controls in a continuous online manner? A. Test data/deck B. Base-case system evaluation C. Integrated test facility (ITF) D. Parallel simulation

B. Base-case system evaluation. Answer: B Explanation: A base-case system evaluation uses test data sets developed as part of comprehensive testing programs, it is used to verify correct systems operations before acceptance, as well as periodic validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious files in the database with test transactions processed simultaneously with live input. Parallel simulation is the production of data processed using computer programs that simulate application program logic.

When reviewing an active project, an IS auditor observed that, because of a reduction in anticipated benefits and increased costs, the business case was no longer valid. The IS auditor should recommend that the: A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be completed and the business case be updated later.

B. Business case be updated and possible corrective actions be indentified. Answer: B Explanation: An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a key input to decisions made throughout the life of any project.

Which of the following data validation edits is effective in detecting transposition and transcription errors? A. Range check B. Check digit C. Validity check D. Duplicate check

B. Check digit Answer: B Explanation: A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered, e.g., an incorrect, but valid, value substituted for the original. This control is effective in detecting transposition and transcription errors. A range check is checking data that matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteriA. In a duplicate check, newor fresh transactions are matched to those previously entered to ensure that they are not already in the system.

The MAIN purpose of a transaction audit trail is to: A. reduce the use of storage media. B. determine accountability and responsibility for processed transactions. C. help an IS auditor trace transactions. D. provide useful information for capacity planning.

B. Determine accountability and responsibility for processed transactions. Answer: B Explanation: Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used totrace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? A. Function point analysis B. Earned value analysis C. Cost budget D. Program Evaluation and Review Technique

B. Earned value analysis. Answer: B Explanation: Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed, to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management.

When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: A. not be concerned since there may be other compensating controls to mitigate the risks. B. ensure that overrides are automatically logged and subject to review. C. verify whether all such overrides are referred to senior management for approval. D. recommend that overrides not be permitted.

B. Ensure that overrides are automatically logged and subject to review. Answer: B Explanation: If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. An IS auditor should not assume that compensating controls exist. Aslong as the overrides are policy-compliant, there is no need for senior management approval or a blanket prohibition.

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes

B. Expands the programming resources and aids available. Answer: B Explanation: A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses.

At the completion of a system development project, a postproject review should include which of the following? A. Assessing risks that may lead to downtime after the production release B. Identifying lessons learned that may be applicable to future projects C. Verifying the controls in the delivered system are working D. Ensuring that test data are deleted

B. Identifying lessons learned that may be appliable to future projects. Answer: B Explanation: A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects. An assessment ofpotential downtime should be made with the operations group and other specialists before implementing a system. Verifying that controls are working should be covered during the acceptance test phase and possibly, again, in the postimplementation review. Test data should be retained for future regression testing.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? A. increase the time allocated for system testing B. implement formal software inspections C. increase the development staff D. Require the sign-off of all project deliverables

B. Implement formal software inspections. Answer: B Explanation: Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction as less rework is involved. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring and the cost of the extra testing, and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce. Deliverable reviews normally do not go down to the same level of detail as software inspections.

The rate of change in technology increases the importance of: A. outsourcing the IS function. B. implementing and enforcing good processes. C. hiring personnel willing to make a career within the organization. D. meeting user requirements.

B. Implementing and enforcing good processes. Answer: B Explanation: Change requires that good change management processes be implemented and enforced. Outsourcing the IS function is not directly related to the rate of technological change. Personnel in a typical IS department are highly qualified and educated; usually they do not feel their jobs are at risk and are prepared to switch jobs frequently. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IS environment.

A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not performing adequately which of the following types of testing? A. Unit testing B. Integration testing C. Design walkthroughs D. Configuration management

B. Integration testing. Answer: B Explanation: A common system maintenance problem is that errors are often corrected quickly (especially when deadlines are tight). Units are tested by the programmer and then transferred to the acceptance test area; this often results in system problems that should have been detected during integration or system testing. Integration testing aims at ensuring that the major components of the system interface correctly.

To support an organization's goals, an IS department should have: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. plans to acquire new hardware and software.

B. Long and short range plans. Answer: B Explanation: To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.

During which of the following phases in system development would user acceptance test plans normally be prepared? A. Feasibility study B. Requirements definition C. implementation planning D. Postimplementation review

B. Requirements definition Answer: B Explanation: During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality canbe tested to ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. An IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient.

A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: A. recovery. B. retention. C. rebuilding. D. reuse.

B. Retention. Answer: B Explanation: Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the officialform of classic 'paper* makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.

The PRIMARY objective of an audit of IT security policies is to ensure that: A. they are distributed and available to all staff. B. security and control policies support business and IT objectives. C. there is a published organizational chart with functional descriptions. D. duties are appropriately segregated.

B. Security and control policies support business and IT objectives. Answer: B Explanation: Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies.

Establishing the level of acceptable risk is the responsibility of: A. quality assurance management. B. senior business management. C. the chief information officer. D. the chief security officer.

B. Senior business management. Answer: B Explanation: Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.

When using an integrated test facility (ITF), an IS auditor should ensure that: A. production data are used for testing. B. test data are isolated from production data. C. a test data generator is used. D. master files are updated with the test data.

B. Test data are isolated from production data. Answer: B Explanation: An integrated test facility (ITF) creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live datA. While this ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production datA. An IS auditor is not required to use production data or a test data generator. Production master files should not be updated with test data.

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: A. whose sum of activity time is the shortest. B. that have zero slack time. C. that give the longest possible completion time. D. whose sum of slack time is the shortest.

B. That have zero slack time. Answer: B Explanation: A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities onthe critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained.

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks

B. The critical path for the project. Answer: B Explanation: Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected.

Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.

B. Transactio journal Answer: B Explanation: The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A. a big bang deployment after proof of concept. B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment.

C. A deployment plan based on sequenced phases. Answer: C Explanation: When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system together. This will provide greater assurance of quality results. The other choices are riskier approaches.

When performing an audit of a client relationship management (CRM) system migration project, which of the following should be of GREATEST concern to an IS auditor? A. The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks. B. Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system. C. A single implementation is planned, immediately decommissioning the legacy system. D. Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system's software.

C. A single implementation is planned, immediately decommissioning the legacy system. Answer: C Answer: C Explanation: Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risks. Decommissioning or disposing of the old hardware would complicate any fallback strategy, should the new system not operate correctly. A weekend can be used as a time buffer so that the new system will have a better chance of being up and running after the weekend. A different data representation does not mean different data presentation at the front end. Even when this is thecase, this issue can be solved by adequate training and user support. The printing functionality is commonly one of the last functions to be tested in a new system because it is usually the last step performed in any business event. Thus, meaningful testing and the respective error fixing are only possible after all other parts of the software have been successfully tested.

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: A. isolation. B. consistency. C. atomicity. D. durability.

C. Atomocity Answer: C Explanation: The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all integrity conditions in the database maintained with each transaction. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction only accesses data that are part of a consistent database state. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.

To minimize the cost of a software project, quality management techniques should be applied: A. as close to their writing (i.e., point of origination) as possible. B. primarily at project start-up to ensure that the project is established in accordance with organizational governance standards. C. continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate. D. mainly at project close-down to capture lessons learned that can be applied to future projects.

C. Continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate. Answer: C Explanation: While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is thatthe earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.

Which of the following would impair the independence of a quality assurance team? A. Ensuring compliance with development methods B. Checking the testing assumptions C. Correcting coding errors during the testing process D. Checking the code to ensure proper documentation

C. Correcting coding errors during the testing process. Answer: C Explanation: Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team's independence. The other choices are valid quality assurance functions.

The specific advantage of white box testing is that it: A. verifies a program can operate successfully with other parts of the system. B. ensures a program's functional operating effectiveness without regard to the internal program structure. C. determines procedural accuracy or conditions of a program's specific logic paths. D. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

C. Determines procedural accuracy or conditions of a program's specific logic paths. Answer: C Explanation: White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. Verifying the program can operate successfully with other parts of the system is sociability testing. Testing the program's functionality without knowledge of internal structures is black box testing. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? A. Pilot B. Parallel C. Direct cutover D. Phased

C. Direct cutover. Answer: C Explanation: Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky.

The GREATEST advantage of using web services for the exchange of information between two systems is: A. secure communications. B. improved performance. C. efficient interfacing. D. enhanced documentation.

C. Efficient interfacting. Answer: C Explanation: Web services facilitate the exchange of information between two systems, regardless of the operating system or programming language used. Communication is not necessarily securer or faster, and there is no documentation benefit in using web services.

A decision support system (DSS): A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision making approach of users. D. supports only structured decision making tasks.

C. Emphasizes flexibility in the decision making approach of users. Answer: C Explanation: DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semistructureddecision making tasks.

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? A. inheritance B. Dynamic warehousing C. Encapsulation D. Polymorphism

C. Encapsulation Answer: C Explanation: Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.

During the system testing phase of an application development project the IS auditor should review the: A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests

C. Error Reports Answer: C Explanation: Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. Aconceptual design specification is a document prepared during the requirements definition phase. A vendor contract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase.

An advantage in using a bottom-up vs. a top-down approach to software testing is that: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier.

C. Errors in critical modules are detected earlier Answer: C Explanation: The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order.

A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives? A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing C. Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format D. Reengineering the existing processing and redesigning the existing system

C. Establishing an EDI system of electornic business documents and transactions with key suppliers, computer to computer in a standard fornmat. Answer: C Explanation: EDI is the best answer. Properly implemented (e.g., agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls), EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.

A manager of a project was not able to implement all audit recommendations by the target date. The IS auditor should: A. recommend that the project be halted until the issues are resolved. B. recommend that compensating controls be implemented. C. evaluate risks associated with the unresolved issues. D. recommend that the project manager reallocate test resources to resolve the issues.

C. Evaluate risks associated with the unresolved issues. Answer: C Explanation: It is important to evaluate what the exposure would be when audit recommendations have not been completed by the target date. Based on the evaluation, management can accordingly consider compensating controls, risk acceptance, etc. All other choicesmight be appropriate only after the risks have been assessed.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

C. Extrapolation of the overall end date based on completed work packages and current resources. Answer: C Explanation: Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers fordependencies between tasks, while overestimating the completion percentage for tasks underway (80:20 rule). The calculation based on remaining budget does not take into account the speed at which the project has been progressing.

An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? A. Program evaluation review technique (PERT) B. Counting source lines of code (SLOC) C. Function point analysis D. White box testing

C. Function point analysis. Answer: C Answer: C Explanation: Function point analysis is an indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs and files. It is useful for evaluating complex applications. PERT is a project management techniquethat helps with both planning and control. SLOC gives a direct measure of program size, but does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. White box testing involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development.

Responsibility and reporting lines cannot always be established when auditing automated systems since: A. diversified control makes ownership irrelevant. B. staff traditionally changes jobs with greater frequency. C. ownership is difficult to establish where resources are shared. D. duties change frequently in the rapid development of technology.

C. Ownership is difficult to establish where resources are shared. Answer: C Explanation: Because of the diversified nature of both data and application systems, the actual owner of data and applications may be hard to establish.

An IS auditor reviewing the risk assessment process of an organization should FIRST: A. identify the reasonable threats to the information assets. B. analyze the technical and organizational vulnerabilities. C. identify and rank the information assets. D. evaluate the effect of a potential security breach. Answer:

C. Identify and rank the information assets. Answer: C Explanation: Identification and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization's assets should be analyzed according to their value to the organization. Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets.

When evaluating the controls of an EDI application, an IS auditor should PRIMARILY be concerned with the risk of: A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals.

C. Improper transaction authorization. Answer: C Explanation: Foremost among the risks associated with electronic data interchange (EDI) is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication. The other choices, although risks, are not assignificant.

Which of the following is an implementation risk within the process of decision support systems? A. Management control B. Semistructured dimensions C. inability to specify purpose and usage patterns D. Changes in decision processes

C. Inabililty to specify purpose and usage patterns. Answer: C Explanation: The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DSS.

During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. inadequate functional testing. D. delays in problem resolution.

C. Inadequate functional testing. Answer: C Explanation: The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important.

Which of the following BEST supports the prioritization of new IT projects? A. Internal control self-assessment (CSA) B. Information systems audit C. Investment portfolio analysis D. Business risk assessment

C. Investment portfolio analysis Answer: C Explanation: It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. Internal control self-assessment {CSA} may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. Like internal CSA, IS audits may provide only part of the picture for the prioritization of IT projects. Businessrisk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.

Which of the following is a characteristic of timebox management? A. Not suitable for prototyping or rapid application development (RAD) B. Eliminates the need for a quality process C. Prevents cost overruns and delivery delays D. Separates system and user acceptance testing

C. Prevents cost overruns and delivery delays. Answer: C Explanation: Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate the need for a quality process.

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? A. Project database B. Policy documents C. Project portfolio database D. Program organization

C. Project portfolio database. Answer: C Answer: C Explanation: A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.

An organization is implementing an enterprise resource planning (ERP) application to meet its business objectives. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? A. Project sponsor B. System development project team (SPDT) C. Project steering committee D. User project team (UPT)

C. Project steering committee. Answer: C Explanation: A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics forthe project. The project sponsor is not responsible for reviewing the progress of the project. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for reviewing the progress of the project. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

Which of the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality? A. Function point analysis B. Critical path methodology C. Rapid application development D. Program evaluation review technique

C. Rapid Application Development. Answer: C Answer: C Explanation: Rapid application development is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. The program evaluation review technique (PERT) and critical path methodology (CPM) are both planning and control techniques, while function point analysis is used for estimating the complexity of developing business applications.

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error, as it is not possible to get objective evidence for the software error.

C. Reccomend that problem resolution be escalated. Answer: C Explanation: When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end.

What control detects transmission errors by appending calculated bits onto the end of each segment of data? A. Reasonableness check B. Parity check C. Redundancy check D. Check digits

C. Redundnacy check. Answer: C Answer: C Explanation: A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of datA. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the datA. A parity check isa hardware control that detects data errors when data are read from one computer to another, from memory or during transmission. Check digits detect transposition and transcription errors.

The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

C. Require that changes after that point be evaluated for cost effectiveness. Answer: C Explanation: Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the costbenefits and the payback period.

Which of the following reduces the potential impact of social engineering attacks? A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives

C. Security awareness programs. Answer: C Explanation: Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.

Which of the following should be included in a feasibility study for a project to implement an EDI process? A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication protocols D. The proposed trusted third-party agreement

C. The necessary communication protocols. Answer: C Explanation: Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may besignificant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.

An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are inplace. The BEST response the auditor can make is to: A. review the integrity of system access controls. B. accept management's statement that effective access controls are in place. C. stress the importance of having a system control framework in place. D. review the background checks of the accounts payable staff.

C. Stress the importance of having a system control framwework in place. Answer: C Explanation: Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a comprehensive control framework is needed, intelligent design should permit additional detective and corrective controls to be established that don't have high ongoing costs, e.g., automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses that give rise to unacceptable risks to the organization and work with management to have these corrected. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur.

When two or more systems are integrated, input/output controls must be reviewed by an IS auditor in the: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems.

C. Systems sending and receiving data. Answer: C Explanation: Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other.

Ideally, stress testing should be carried out in a: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data.

C. Test environment using live workloads. Answer: C Explanation: Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices Band D), and if only test data is used, there is no certainty that the system was stress tested adequately.

The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve the performance of the web server and network. D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine.

C. They improve the performance of the web server and network. Answer: C Explanation: An applet is a JAVA program that is sent over the network from the web server, through a web browser and to the client machine; the code is then run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on the web server and network-over which the server and client are connected-drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? A. Bottom up B. Sociability testing C. Top-down D. System test

C. Top-down Answer: C Explanation: The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until acomplete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.

An appropriate control for ensuring the authenticity of orders received in an EDI application is to: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders.

C. Verify the identity of senders and determine if orders correspond to contract terms. Answer: C Explanation: An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. Performing reasonableness checkson quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. Encrypting sensitive messages is an appropriate step but does not apply to messages received.

Which of the following is the GREATEST risk to the effectiveness of application system controls? A. Removal of manual processing steps B. inadequate procedure manuals C. Collusion between employees D. Unresolved regulatory compliance issues

C. collusion between employees. Answer: C Collusion is an active attack that can be sustained and is difficult to identify since even wellthought- out application controls may be circumvented. The other choices do not impact well-designed application controls.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: A. facilitates user involvement. B. allows early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame.

D. Shortens the development time frame. Answer: D Explanation: The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? A. Use of a cryptographic hashing algorithm B. Enciphering the message digest C. Deciphering the message digest D. A sequence number and time stamp

D. A sequence number and time stamp. Answer: D Answer: D Explanation: When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used toverify that a payment instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity. Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document, helps in authenticating the transaction. When the message is deciphered by the receiver using the sender's public key, it ensures that the message could only have come from the sender. This process of sender authentication achieves nonrepudiation.

A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? A. Key verification B. One-for-one checking C. Manual recalculations D. Functional acknowledgements

D. Functional acknowledgements. Answer: D Explanation: Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main controls used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company.

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A. IS auditor B. Database administrator C. Project manager D. Data owner

D. Data owner Answer: D Answer: D Explanation: During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted datA. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated datA. A project manager provides day-to-day management and leadership of the project, but is not responsible for the accuracy and integrity of the data.

During the audit of an acquired software package, an IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved.

D. Ensure the procedures had been approved. Answer: D Explanation: In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.

An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? A. Log all table update transactions. B. implement before-and-after image reporting. C. Use tracing and tagging. D. implement integrity constraints in the database.

D. Implement integrity constraints in the database. Answer: D Explanation: Implementing integrity constraints in the database is a preventive control, because data is checked against predefined tables or rules preventing any undefined data from being entered. Logging all table update transactions and implementing before-and-after image reporting are detective controls that would not avoid the situation. Tracing and tagging are used to test application systems and controls and could not prevent out-of-range data.

An example of a direct benefit to be derived from a proposed IT-related business investment is: A. enhanced reputation. B. enhanced staff morale. C. the use of new technology. D. increased market penetration.

D. Increased market penetration. Answer: D Explanation: A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft.Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.

Which of the following is the PRIMARY objective of an IT performance measurement process? A. Minimize errors B. Gather performance data C. Establish performance baselines D. Optimize performance

D. Optimize performance Answer: D Explanation: An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimizing errors is an aspect of performance, but not the primary objective of performance management. Gathering performance data is a phase of IT measurement process and would be used to evaluate the performance against previously established performance baselines.

Which of the following system and data conversion strategies provides the GREATEST redundancy? A. Direct cutover B. Pilot study C. Phased approach D. Parallel run

D. Parallel Run. Answer: D Explanation: Parallel runs are the safest-though the most expensive-approach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a 'shake down period' nor does it provide an easy fallback option. Both a pilot study and a phased approach are performedincrementally, making rollback procedures difficult to execute.

An IS auditor is reviewing a project that is using an Agile software development approach. Which of the following should the IS auditor expect to find? A. Use of a process-based maturity model such as the capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity D. Postiteration reviews that identify lessons learned for future use in the project

D. Postiteration reviews that identify lessons learned for future use of the project. Answer: D Answer: D Explanation: A key tenet of the Agile approach to software project management is team learning and the use of team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that, atthe end of each iteration, the team considers and documents what worked well and what could have worked better, and identifies improvements to be implemented in subsequent iterations. CMM and Agile really sit at opposite poles. CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables. Agile projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Additionally, less importance is placed on formal paperbased deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Agile projects do make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: A. reliable products are guaranteed. B. programmers' efficiency is improved. C. security requirements are designed. D. predictable software processes are followed.

D. Predicatbale software processes are followed. Answer: D Explanation: By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls.

An IS auditor reviewing a proposed application software acquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and updates. D. products are compatible with the current or planned OS.

D. Products are compatiable with the current or planned OS. Answer: D Answer: D Explanation: Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the proposed application the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice A, if the OS is currently being used, it is compatible with the existing hardware platform, because if it is not it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability).

The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.

D. Remote processing site prior to transmission of the date to hte central processing site. Answer: D Explanation: It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

An IS auditor is assigned to audit a software development project which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take? A. Report that the organization does not have effective project management. B. Recommend the project manager be changed. C. Review the IT governance structure. D. Review the conduct of the project and the business case.

D. Review the conduct of the project and the business case. Answer D Explanation: Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to making the project over budget and over schedule. The organization may have effective project management practices and sound ITgovernance and still be behind schedule or over budget. There is no indication that the project manager should be changed without looking into the reasons for the overrun.

Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? A. Parallel testing B. Pilot testing C. Interface/integration testing D. Sociability testing

D. Socialability testing. Answer: D Explanation: The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. Parallel testing is the process of feeding data into two systems-the modified system and an alternate systemand comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another.The objective is to take unit-tested modules and build an integrated structure.

An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: A. a backup server be available to run ETCS operations with up-to-date data. B. a backup server be loaded with all the relevant software and data. C. the systems staff of the organization be trained to handle any event. D. source code of the ETCS application be placed in escrow.

D. Source code of the ETCS application be placed in escrow. Answer: D Explanation: Whenever proprietary application software is purchased, the contract should provide for a source code agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business.Having a backup server with current data and staff training is critical but not as critical as ensuring the availability of the source code.

The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

D. Support of multiple development environments. Answer: D Explanation: Components written in one language can interact with components written in other languages or running on other machines, which can increase the speed of development. Software developers can then focus on business logic. The other choices are not themost significant advantages of a component-based development approach.

An advantage of using sanitized live transactions in test data is that: A. all transaction types will be included. B. every error condition is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing.

D. Test transactions are repressentive of live processing. Answer: D Explanation: Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

Which of the following is the PRIMARY purpose for conducting parallel testing? A. To determine if the system is cost-effective B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements

D. To ensure the new system meets user requirements. Answer: D The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system testing are completed before parallel testing. Program interfaces with files are tested for errors during system testing.

The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

D. User participation in defining the system's requirements was inadequate. Answer: D Explanation: Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are, and therefore what the system should accomplish.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing.

D. automated systems balancing. Answer: D Explanation: Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checksare certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error.

When an employee is terminated from service, the MOST important action is to: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access.

D. disable the employees logical access Answer: D Explanation: There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D.

An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of: A. reverse engineering. B. prototyping. C. software reuse. D. reengineering.

D. reengineering. Answer: D Explanation: Old (legacy) systems that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new technologies into existing systems. Using program language statements, reverse engineering involves reversing a program's machine code into the source code in which it was written to identify malicious content in a program, such as a virus, or to adapt a program written for use with one processor for use with a differently designed processor. Prototyping is the development of a system through controlled trial and error. Software reuse is the process of planning, analyzing and using previously developed software components. The reusable components are integrated into the current software product systematically.

After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress B. Black box C. Interface D. System

D. system testing. Answer: D Explanation: Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumstances.

During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing: A. test data covering critical applications. B. detailed test plans. C. quality assurance test specifications. D. user acceptance testing specifications.

D. user acceptance testing specifications. Answer: D Explanation: A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. The other choices are generally performed during the system testing phase.

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quality are only achieved if resource allocation is increased. C. decreases in delivery time can be achieved, even if resource allocation is decreased. D. decreases in delivery time can only be achieved if quality is decreased.

a. Increases in quality can be achieved, even if resource allocation is decreased. Answer: A Explanation: The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.

When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify? A. The risks associated with the use of the products are periodically assessed B. The latest version of software is listed for each product C. Due to licensing issues the list does not contain open source software D. After hours support is offered

a. The risk associated with the use of the products are periodically addressed. Answer: A Explanation: Since the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This might be best incorporated into the IT risk management process. Choices B, C andD are possible considerations but would not be the most important.

When a new system is to be implemented within a short time frame, it is MOST important to: A. finish writing user manuals. B. perform user acceptance testing. C. add last-minute enhancements to functionalities. D. ensure that the code has been documented and reviewed.

b. Perform user acceptance testing. Answer: B Explanation: It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. The completion of the user manuals is similar to the performance of code reviews. If time is tight, the last thing one would want to do is add another enhancement, as it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements. It would be appropriate to have the code documented and reviewed, but unless the acceptance testing is completed, there is no guarantee that the system will work correctly and meet user requirements.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls

d. Compensating ocntrols Answer: D Explanation: Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.

As a driver of IT governance, transparency of IT's cost, value and risks is primarily achieved through: A. performance measurement. B. strategic alignment. C. value delivery. D. resource management.

A. Performance measurement. Answer: A Answer: A Explanation: Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver {process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

When reviewing an organization's strategic IT plan an IS auditor should expect to find: A. an assessment of the fit of the organization's application portfolio with business objectives. B. actions to reduce hardware procurement cost. C. a listing of approved suppliers of IT contract resources. D. a description of the technical architecture for the organization's network perimeter

A. An assessment of the fit of the organization's application portfolio with business objectives. Answer: A Answer: A Explanation: An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. Operational efficiency initiatives belong to tactical planning, not strategic planning. The purpose of an IT strategic plan is toset out how IT will be used to achieve or support an organization's business objectives. A listing of approved suppliers of IT contract resources is a tactical rather than a strategic concern. An IT strategic plan would not normally include detail ofa specific technical architecture.

Which of the following should be considered FIRST when implementing a risk management program? A. An understanding of the organization's threat, vulnerability and risk profile B. An understanding of the risk exposures and the potential consequences of compromise C. A determination of risk management priorities based on potential consequences D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

A. An understanding of the organizations threat, vulnerability and risk profile. Answer: A Answer: A Explanation: Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

A. Assimilation of the framework and intent of a written security policy by all appropriate parties. Answer: A Explanation: Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education onthe importance of security.

Effective IT governance will ensure that the IT plan is consistent with the organization's: A. business plan. B. audit plan. C. security plan. D. investment plan.

A. Business plan Answer: A Explanation: To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. The audit and investment plans are not part of the IT plan, while the security plan should be at a corporate level.

Which of the following activities performed by a database administrator (DBA) should be performed by a different person? A. Deleting database activity logs B. Implementing database optimization tools C. Monitoring database usage D. Defining backup and recovery procedures

A. Deleting database activity logs. Answer:A Answer: A Explanation: Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. A DBA should perform the other activities as part of the normal operations.

IT control objectives are useful to IS auditors, as they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.

A. Desired result or purpose of implementing specific control procedures. Answer: A Explanation: An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.

The ultimate purpose of IT governance is to: A. encourage optimal use of IT. B. reduce IT costs. C. decentralize IT resources across the organization. D. centralize control of IT.

A. Encourage optimal use of IT Answer: A Answer: A Explanation: IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact.

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether: A. there is an integration of IS and business staffs within projects. B. there is a clear definition of the IS mission and vision. C. a strategic information technology planning methodology is in place. D. the plan correlates business objectives to IS goals and objectives.

A. There is an integration of IS and business staffs within projects. Answer: A Explanation: The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.

Assessing IT risks is BEST achieved by: A. evaluating threats associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports.

A. Evaluating threats associated with existing IT assets and IT projects. Answer: A Explanation: To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient.Basing an assessment on past losses will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to beassessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risks.

A benefit of open system architecture is that it: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment

A. Facilitates interoperability. Answer: A Answer: A Explanation: Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems.

The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results. B. customer satisfaction. C. internal process efficiency. D. innovation capacity.

A. Financial results. Answer: A Explanation: Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.

When implementing an IT governance framework in an organization the MOST important objective is: A. IT alignment with the business. B. accountability. C. value realization with IT. D. enhancing the return on IT investments.

A. IT alignment with the business. Answer:A Explanation: The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business {choice A). To achieve alignment, all other choices need to be tied to business practices and strategies.

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of-sight reading Answer:

A. Issues of Privacy Answer: A Answer: A Explanation: The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern.

An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D. recommends network balancing procedures and improvements.

A. Monitors systems performance and tracks problems resulting from program changes. Answer: A Explanation: The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes {choice B), assessing the impact of network load or terminal response times and network data transferrates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes {choice A) would put the analyst in a self-monitoring role.

In the context of effective information security governance, the primary objective of value delivery is to: A. optimize security investments in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture.

A. Optimize security investments in support of business objectives. Answer: A Answer: A Explanation: In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event.

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Outsourced activities are core and provide a differentiated advantage to the organization. B. Periodic renegotiation is specified in the outsourcing contract. C. The outsourcing contract fails to cover every action required by the arrangement. D. Similar activities are outsourced to more than one vendor.

A. Outsourced activities are core and provde a differentiated advantage to the organization. Answer: A Explanation: An organization's core activities generally should not be outsourced, because they are what the organization does best; an IS auditor observing that should be concerned. An IS auditor should not be concerned about the other conditions because specification of periodic renegotiation in the outsourcing contract is a best practice. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, while multisourcing is an acceptable way to reduce risk.

Which of the following is normally a responsibility of the chief security officer (CSO)? A. Periodically reviewing and evaluating the security policy B. Executing user application and software testing and evaluation C. Granting and revoking user access to IT resources D. Approving access to data and applications

A. Periodically reviewing and evaluating the security policy. Answer: A Explanation: The role of a chief security officer (CSO) is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs and equipment. User application and other software testing and evaluation normally are the responsibility of the staff assigned to development and maintenance. Granting and revoking access to IT resources is usually a function of network or database administrators. Approval of access to data and applications is the duty of the data owner.

The PRIMARY objective of implementing corporate governance by an organization's management is to: A. provide strategic direction. B. control business operations. C. align IT with business. D. implement best practices.

A. Provide strategic direction. Answer: A Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled

An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? A. References from other customers B. Service level agreement (SLA) template C. Maintenance agreement D. Conversion plan

A. References from other customers. Answer: A Answer: A Explanation: An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows-issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose.

While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern shouldbe that the: A. requirement for protecting confidentiality of information could be compromised. B. contract may be terminated because prior permission from the outsourcer was not obtained. C. other service provider to whom work has been outsourced is not subject to audit. D. outsourcer will approach the other service provider directly for further work.

A. Requirement for protecting confidentiality of information could be compromised. Answer: A Explanation: Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Choices B and C could be concerns but are not related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.

Which of the following is a mechanism for mitigating risks? A. Security and control practices B. Property and liability insurance C. Audit and certification D. Contracts and service level agreements (SLAs)

A. Security and control practices. Answer: A Explanation: Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.

As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterprise requirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure.

A. Security requirenments driven by enterprise requirements. Answer: A Answer: A Explanation: Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure.

A top-down approach to the development of operational policies will help ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically.

A. That they are consistent across the organization. Answer: A Explanation: Deriving lower level policies from corporate policies {a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.

When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor? A. There could be a question regarding the legal jurisdiction. B. Having a provider abroad will cause excessive costs in future audits. C. The auditing process will be difficult because of the distance. D. There could be different auditing norms.

A. There could be a question regarding the legal jurisdiction. Answer: A Explanation: In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction.

An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information. B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. the audit finding will cause management to provide continuous training to staff.

A. This lack of knowledge may lead to unintentional disclosure of sensitive information. Answer: A Answer: A Explanation: All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.

A poor choice of passwords and transmission over unprotected communications lines are examples of: A. vulnerabilities. B. threats. C. probabilities. D. impacts.

A. Vulnerabilities. Answer: A Explanation: Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability.

An IT steering committee should review information systems PRIMARILY to assess: A. whether IT processes support business requirements. B. if proposed system functionality is adequate. C. the stability of existing software. D. the complexity of installed technology.

A. Whether IT processes support business requirements. Answer: A Explanation: The role of an IT steering committee is to ensure that the IS department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization's goals.

Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? A. Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary plan. B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. No, because the backup to be provided should be specified adequately in the contract. D. No, because the service bureau's business continuity plan is proprietary information.

A. Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary plan Answer: A Answer: A Explanation: The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan.

An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee's desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management? A. Stricter controls should be implemented by both the organization and the cleaning agency. B. No action is required since such incidents have not occurred in the past. C. A clear desk policy should be implemented and strictly enforced in the organization. D. A sound backup policy for all important office documents should be implemented

A. stricter controls should be implemented by both the organization and the cleaning agency. Anwer: A Answer: A Explanation: An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business. Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency. That such incidents have not occurred in the past does not reduce the seriousness of their impact. Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with thecleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don'ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information.

The advantage of a bottom-up approach to the development of organizational policies is that the policies: A. are developed for the organization as a whole. B. are more likely to be derived as a result of a risk assessment. C. will not conflict with overall corporate policy. D. ensure consistency across the organization.

B. Are more likely to be derived as a result of a risk assessment. Answer: B Answer: B Explanation: A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization.

IT governance is PRIMARILY the responsibility of the: A. chief executive officer. B. board of directors. C. IT steering committee. D. audit committee.

B. Board of Directors Answer: B Answer: B Explanation: IT governance is primarily the responsibility of the executives and shareholders {as represented by the board of directors). The chief executive officer is instrumental in implementing IT governance per the directions of the board of directors. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The audit committee reports to the board of directors and should monitor the implementation of audit recommendations.

Before implementing an IT balanced scorecard, an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses.

B. Define key performance indicators Answer: B Explanation: A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives

The PRIMARY benefit of implementing a security program as part of a security governance framework is the: A. alignment of the IT activities with IS audit recommendations. B. enforcement of the management of security risks. C. implementation of the chief information security officer's (CISO) recommendations. D. reduction of the cost for IT security.

B. Enforccement of the mangement of security risks. Anwer: B Explanation: The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.

To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A. O/S and hardware refresh frequencies B. Gain-sharing performance bonuses C. Penalties for noncompliance D. Charges tied to variable cost metrics

B. Gain- sharing performance bonuses Answer: B Explanation: Because the outsourcer will share a percentage of the achieved savings, gain-sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client.

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

B. IT balanced scorecard (BSC) Answer: B Explanation: The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the abilityto innovate. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management's activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.

When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining if IS: A. has all the personnel and equipment it needs. B. plans are consistent with management strategy. C. uses its equipment and personnel efficiently and effectively. D. has sufficient excess capacity to respond to changing directions.

B. Plans are consistent with management strategy. Explanation: Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization's strategies.

Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods

B. Identification of network applicaitons to be externally accessed. Answer: B Explanation: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Which of the following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy

B. Identifying organizational strategies. Answer: B Explanation: The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies,the remaining choices-even if implemented-would be ineffective.

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for: A. documentation of staff background checks. B. independent audit reports or full audit access. C. reporting the year-to-year incremental cost reductions. D. reporting staff turnover, development or training.

B. Independent audit reports or full audit access. Answer: B Explanation: When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.

Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.

B. Job descriptions contain clear statements of accountability for information security. Answer: B Explanation: Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other three choices are not criterion for evaluating security awareness training. Awareness is a criterion for evaluating the importance that senior management attaches to information assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed, while the number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program.

In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model? A. Optimized B. Managed C. Defined D. Repeatable

B. Managed Answer: B Answer: B Explanation: Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be 'managed and measurable.'

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing (UAT) occur for all reports before release into production B. Organizational data governance practices be put in place C. Standard software tools be used for report development D. Management sign-off on requirements for new reports

B. Organizational data governance practices be put in place. Answer: B Answer: B Explanation: This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. The otherchoices, while sound development practices, do not address the root cause of the problem described.

An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the: A. technical platforms between the two companies are interoperable. B. parent bank is authorized to serve as a service provider. C. security features are in place to segregate subsidiary trades. D. subsidiary can join as a co-owner of this payment system.

B. Parent bank is authorized to serve as a service provider. Answer: B Answer: Even between parent and subsidiary companies, contractual agreement(s) should be in place to conduct shared services. This is particularly important in highly regulated organizations such as banking. Unless granted to serve as a service provider, it may not be legal for the bank to extend business to the subsidiary companies. Technical aspects should always be considered; however, this can be initiated after confirming that the parent bank can serve as a service provider. Security aspects are another important factor; however, this should be considered after confirming that the parent bank can serve as a service provider. The ownership of the payment system is not as important as the legal authorization to operate the system.

When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A. Restricting physical access to computing equipment B. Reviewing transaction and application logs C. Performing background checks prior to hiring IT staff D. Locking user sessions after a specified period of inactivity

B. Reviewing transaction and application logs. Answer: b Answer: B Explanation: Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure ITstaff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.

An IS auditor reviewing an organization's IT strategic plan should FIRST review: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends.

B. The Business Plan Explanation: The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

Which of the following should be included in an organization's IS security policy? A. A list of key IT resources to be secured B. The basis for access authorization C. Identity of sensitive security features D. Relevant software security features

B. The basis of access authorization Answer: B Explanation: The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.

After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. Answer: B Answer: B Explanation: The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. In postmerger integration programs, it is common to form project management offices to ensure standardized and comparable information levels in the planning and reporting structures, and to centralizedependencies of project deliverables or resources. The experience of external consultants can be valuable since project management practices do not require in-depth knowledge of the legacy systems. This can free up resources for functional tasks. Itis a good idea to first get familiar with the old systems, to understand what needs to be done in a migration and to evaluate the implications of technical decisions. In most cases, mergers result in application changes and thus in training needs asorganizations and processes change to leverage the intended synergy effects of the merger.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. meets or exceeds industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

B. agrees to be subject to external security reviews. Answers: B Explanation: It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify orprove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.

Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A. ensure the employee maintains a good quality of life, which will lead to greater productivity. B. reduce the opportunity for an employee to commit an improper or illegal act. C. provide proper cross-training for another employee. D. eliminate the potential disruption caused when an employee takes vacation one day at a time.

B: reduce the opportunity for an employee to commit an improper or illegal act. Answer: B Explanation: Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established.

The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.

C. Adoption of a corporate information security policy statement. Answer: C Explanation: A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define exactly the loss amount.

C. Apply a qualitative approach. Answer: C Explanation: The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to thebusiness and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and at the end of the day, the result will be a not well-supported evaluation.

Which of the following is a function of an IS steering committee? A. Monitoring vendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring major projects, the status of IS plans and budgets D. Liaising between the IS department and the end users

C. Approving and monitoring major projects, the status of IS plans and budgets. Answer: C Explanation: The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information's processing environment is an IS management responsibility. Liaising between the IS department and the end users is a function of the individual parties and not a committee.

The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A. destruction policy. B. security policy. C. archive policy. D. audit policy.

C. Archive policy. Answer: C Explanation: With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: A. incorporates state of the art technology. B. addresses the required operational controls. C. articulates the IT mission and vision. D. specifies project management practices.

C. Articulates the IT mission and vision. Answer: C Explanation: The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices

The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: A. IT budget. B. existing IT environment. C. business plan. D. investment plan.

C. Business Plan Explanation: One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strategy should be aligned with thebusiness strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan.

When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: A. establishment of a review board. B. creation of a security unit. C. effective support of an executive sponsor. D. selection of a security process owner.

C. Effective support of an executive sponsor. Answer: C Explanation: The executive sponsor would be in charge of supporting the organization's strategic security program, and would aid in directing the organization's overall security management activities. Therefore, support by the executive level of management is themost critical success factor (CSF). None of the other choices are effective without visible sponsorship of top management

An IS steering committee should: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. have formal terms of reference and maintain minutes of its meetings. D. be briefed about new trends and products at each meeting by a vendor.

C. Have formal terms of reference and maintain minutes of its meetings. Answer: C Answer: C Explanation: It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis. Choice A is incorrect because only senior management or high-level staff members should be on this committee because of its strategic mission. Choice B is not a responsibility of this committee, but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate.

A local area network (LAN) administrator normally would be restricted from: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D. being responsible for LAN security administration.

C. Having programming responsiblities Answer: C Answer: C Explanation: A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task? A. Report the risks to the CIO and CEO immediately B. Examine e-business application in development C. Identify threats and likelihood of occurrence D. Check the budget available for risk management

C. Identify threats and likelihood of occurance. Answer: C Explanation: An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.

When developing a risk management program, what is the FIRST activity to be performed? A. Threat assessment B. Classification of data C. Inventory of assets D. Criticality analysis

C. Inventory of Assets Answer: C Answer: C Explanation: Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.

To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review: A. the IT infrastructure. B. organizational policies, standards and procedures. C. legal and regulatory requirements. D. the adherence to organizational policies, standards and procedures.

C. Legal and regulatory requirements. Answer: C Answer: C Explanation: To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.

To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: A. avoidance. B. transference. C. mitigation. D. acceptance.

C. Mitigation Answer: C Answer: C Explanation: Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.

Which of the following is a risk of cross-training? A. Increases the dependence on one employee B. Does not assist in succession planning C. One employee may know all parts of a system D. Does not help in achieving a continuity of operations

C. One employee may know all parts of a system. Answer: C Explanation: When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations.

C. One person knowing all parts of a system. Answer: C Answer: C Explanation: Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risks addressed in choices A, B and D.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

C. Ownership of intellectual property. Answer: C Explanation: Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be ofno real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.

Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? A. Time zone differences could impede communications between IT teams. B. Telecommunications cost could be much higher in the first year. C. Privacy laws could prevent cross-border flow of information. D. Software development may require more detailed specifications.

C. Privacy laws could prevent cross-border flow of inforamtion. Answer: C Explanation: Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable. Software development typically requires more detailed specifications when dealing with offshore operations.

An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should: A. report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy. B. verify that user access rights have been granted on a need-to-have basis. C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination. D. recommend that activity logs of terminated users be reviewed on a regular basis.

C. Recommend changes to the IS policy to ensure deactiviation of user IDs upon termination Answer: C Answer: C Explanation: Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for deactivation is inappropriate,the auditor needs to communicate this to management and recommend changes to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that user access rights have been granted on a need-to-have basis is necessary when permissions are granted. Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not as effective as deactivation upon termination.

The output of the risk management process is an input for making: A. business plans. B. audit charters. C. security policy decisions. D. software design decisions.

C. Security policy decisions Answer: C Explanation: The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard (BSC) for measuring performance B. Consider user satisfaction in the key performance indicators (KPIs) C. Select projects according to business benefits and risks D. Modify the yearly process of defining the project portfolio

C. Select projects according to business benefits and risks. Answer: C Answer: C Explanation: Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities. Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the portfolio definition process is currently not tied to the definition of corporate strategies; however, this is unlikely since the difficulties are in maintaining the alignment, and not in setting it up initially. Measures such as balanced scorecard (BSC) and key performance indicators (KPIs) are helpful, but they do not guarantee that the projects are aligned with business strategy.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: A. address all of the network risks. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

C. Taken into account the entire IT environment. Answer: C Explanation: When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances.

The MOST likely effect of the lack of senior management commitment to IT strategic planning is: A. a lack of investment in technology. B. a lack of a methodology for systems development. C. technology not aligning with the organization's objectives. D. an absence of control over technology contracts.

C. Technology not aligning with the organizations objectives. Answer: C Explanation: A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with the organization's strategy.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A. That an audit clause is present in all contracts B. That the SLA of each contract is substantiated by appropriate KPIs C. That the contractual warranties of the providers support the business needs of the organization D. That at contract termination, support is guaranteed by each outsourcer for new outsourcers

C. That the contractual waranties of the providers support the business needs of the organization. Answer: C Explanation: The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A. control self-assessments. B. a business impact analysis. C. an IT balanced scorecard. D. business process reengineering.

C. an IT balanced scorecard. Answer: C Explanation: An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. Control selfassessment (CSA), business impact analysis (BIA) and business process reengineering (BPR) are insufficient to align IT with organizational objectives.

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.

C. unauthorized users may have access to originate modify or delete data. Answer C Explanation: Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.

A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual'sexperience and: A. length of service, since this will help ensure technical competence. B. age, as training in audit techniques may be impractical. C. IS knowledge, since this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IS relationships.

D. Ability as an IS auditor, to be independent of existing IS relationships Answer: D Answer: D Explanation: Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure credibility. The audit department's needs should be defined and any candidate should be evaluated against those requirements. The length of service will not ensure technical competency. Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world.

Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered.

D. Become the supplier choice of the project offered. Answer: D Explanation: Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is timeand project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization's broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business andwould thus be a part of the organization's strategic plan. The other choices are project-oriented and do not address business objectives.

Responsibility for the governance of IT should rest with the: A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

D. Board of Directors. Answer: D Explanation: Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly. The audit committee, the chief information officer (CIO) and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.

The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors.

D. Board of directors. Answer: D Answer: D Explanation: Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

To assist an organization in planning for IT investments, an IS auditor should recommend the use of: A. project management tools. B. an object-oriented architecture. C. tactical planning. D. enterprise architecture (EA).

D. Enterprise architecture (EA) Answer: D Explanation: Enterprise architecture (EA) involves documenting the organization's IT assets and processes in a structured manner to facilitate understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective. Project management does not consider IT investment aspects; it is a tool to aid in delivering projects. Object-oriented architecture is a software development methodology and does not assist in planning for IT investment, while tactical planning is relevant only after high-level IT investment decisions have been made.

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation? A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle. C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management.

D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the orgnaization's risk management. Answer: D Explanation: Establishing regular meetings is the best way to identify and assess risks in a mediumsized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A. Utilization of an intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees

D. Training provided on a regular basis to all current and new employees. Answer: D Explanation: Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness.

From a control perspective, the key element in job descriptions is that they: A. provide instructions on how to do the job and define authority. B. are current, documented and readily available to the employee. C. communicate management's specific job performance expectations. D. establish responsibility and accountability for the employee's actions.

D. Establish responsibility and accountability for the employee's actions. Answer: D Explanation: From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities. The other choices are not directly related to controls. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job. It is important that job descriptions are current, documented and readily available to the employee, but this in itself is not a control. Communication of management's specific expectations for job performance outlines the standard of performance and would not necessarily include controls.

Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance

D. Monitoring the outsourcing providers performance. Answer: D Answer: D Explanation: In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a byproduct of monitoring the outsourcing provider's performance, while renegotiating fees is usually a one-time activity.

Which of the following provides the best evidence of the adequacy of a security awareness program? A. The number of stakeholders including employees trained at various levels B. Coverage of training at all locations across the enterprise C. The implementation of security devices from different vendors D. Periodic reviews and comparison with best practices

D. Periodic reviews and comparison with best practices. Answer: D Explanation: The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices. Choices A, B and C provide metrics for measuring various aspects of a security awareness program, but do not help assess the content.

Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations? A. Security incident summaries B. Vendor best practices C. CERT coordination center D. Significant contracts

D. Significant contracts. Answer: D Explanation: Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT {www.cert.org) is an information source for assessing vulnerabilities within the IT infrastructure.

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A. implementation. B. compliance. C. documentation. D. sufficiency.

D. Sufficiency. Answer: D An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.

Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IS strategy? That it: A. has been approved by line management. B. does not vary from the IS department's preliminary budget. C. complies with procurement procedures. D. supports the business objectives of the organization.

D. Supports the business objectives of the organization. Answer: D Explanation: Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. Choice A is incorrectsince line management prepared the plans.

Effective IT governance requires organizational structures and processes to ensure that: A. the organization's strategies and objectives extend the IT strategy. B. the business strategy is derived from an IT strategy. C. IT governance is separate and distinct from the overall governance. D. the IT strategy extends the organization's strategies and objectives.

D. The IT strategy extends the organization's strategies and objectives. Answer: D Explanation: Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategiesand objectives, and that the strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that extends the organizational objectives, not the opposite. IT governance is not an isolated discipline; it must become anintegral part of the overall enterprise governance.

Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risks are managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediate between the imperatives of business and technology.

D. Top management mediate between the imperatives of business and technology Answer: D Explanation: Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risks being managed is a risk management best practice. A knowledge base on customers, products, markets andprocesses being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice.

Which of the following does a lack of adequate security controls represent? A. Threat B. Asset C. Impact D. Vulnerability

D. Vulnerability. Answer: D Explanation: The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to theloss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the 'potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.' The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionalityin this context is a vulnerability.